AES-NI GCM support?

Hi,
Does your IPSEC support AES-NI GCM?

would like to setup ipsec on a pfsense firewall.

Also, I understand you don’t support that platform, but any tips, guides on configuration?

Thanks

Hi @Eric_d!

There shouldn’t be any barriers server-side for you establishing a connection with pfSense over IPSec. However, can you tell me what backend software is being used for IPSec? Strongswan, Openswan, racoon?

Nick
Golden Frog Support

pfsense uses strongswan

So does VyprVPN support AES-NI GCM encryption?

You can see the pfsense config screen here
img.velder.li/images/7736feec88786ece92b35342572d1967.png

Thanks

Yes, we do support that encryption. If the locally-provided IPsec system is compiled with support for AES-NI GCM and the hardware provides it, then the IPsec connection will use it. If the local system isn’t compiled with support or if the hardware doesn’t support it, then the IPsec connection won’t use it.

I don’t have any guides or tips I can provide on setup, but I would encourage any other community members who have setup IPSec in pfSense to chime in!

Nick
Golden Frog Support

@Eric_d, I can provide you with some VERY RUDIMENTARY Strongswan information if you’d like. It’s from some work I’ve done with the EdgeRouter Lite (Ubiquiti’s nice $99 router). I call it rudimentary because it’s a lot of “put this file here” and “put this file there” type thing that can serve as a rough “guide” for you. It is strictly a “Your Mileage May Vary” sort of thing.

If you or anyone is interested, I can spend a little bit of time getting it formatted into a forum post.

@Eric_d, I’m curious which pfSense device you are working with, and if you do get it working I’m very interested to know what level of throughput you achieve with it. I was underwhelmed with the results from the EdgeRouter Lite – but it seems that the Ubiquiti community has long discussed problems with IPSec performance on that platform to which Ubiquiti has had no answer.

These steps were done on an EdgeRouter Lite running EdgeOS v1.5.0 running an older version of StrongSwan – I forget which now but it is at least one major revision behind the current version. If you’re using this information on any other device, your mileage may vary!

First, you install the following files into the system. (These certificates and this key are available from ZIP files on the Golden Frog support site as well under some of our manual IPSec configuration instructions. I provide them here so you don’t have to go dig them out.

/etc/ipsec.d/cacerts/goldenfrog-ca.crt

Bag Attributes: <No Attributes>
subject=/C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=GoldenFrog-Inc CA/emailAddress=admin@goldenfrog.com
issuer=/C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=GoldenFrog-Inc CA/emailAddress=admin@goldenfrog.com
-----BEGIN CERTIFICATE-----
MIIEpDCCA4ygAwIBAgIJANd2Uwt7SabsMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYD
VQQGEwJLWTEUMBIGA1UECBMLR3JhbmRDYXltYW4xEzARBgNVBAcTCkdlb3JnZVRv
d24xFzAVBgNVBAoTDkdvbGRlbkZyb2ctSW5jMRowGAYDVQQDExFHb2xkZW5Gcm9n
LUluYyBDQTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AZ29sZGVuZnJvZy5jb20wHhcN
MTAwNDA5MjExOTIxWhcNMjAwNDA2MjExOTIxWjCBkjELMAkGA1UEBhMCS1kxFDAS
BgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQK
Ew5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAh
BgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA37JesfCwOj69el0AmqwXyiUJ2Bm+q0+eR9hYZEk7
pVoj5dF9RrKirZyCM/9zEvON5z4pZMYjhpzrq6eiLu3j1xV6lX73Hg0dcflweM5i
qxFAHCwEFIiMpPwOgLV399sfHCuda11boIPE4SRooxUPEju908AGg/i+egntvvR2
d7pnZl2SCJ1sxlbeAAkYjX6EXmIBFyJdmry1y05BtpdTgPmTlJ0cMj7DlU+2gehP
ss/q6YYRAhrKtlZwxeunc+RD04ieah+boYU0CBZinK2ERRuAjx3hbCE4b0S6eizr
QmSuGFNu6Ghx+E1xasyl1Tz/fHgHl3P93Jf0tFov7uuygQIDAQABo4H6MIH3MB0G
A1UdDgQWBBTh9HiMh5RnRVIt/ktXddiGkDkXBTCBxwYDVR0jBIG/MIG8gBTh9HiM
h5RnRVIt/ktXddiGkDkXBaGBmKSBlTCBkjELMAkGA1UEBhMCS1kxFDASBgNVBAgT
C0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYDVQQKEw5Hb2xk
ZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0ExIzAhBgkqhkiG
9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tggkA13ZTC3tJpuwwDAYDVR0TBAUw
AwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAwihrN0QNE19RRvGywBvsYDmzmM5G8ta5
8yB+02Mzbm0KuVxnPJaoVy4L4WocAnqLeKfmpYWUid1MPwDPtwtQ00U7QmRBRNLU
hS6Bth1wXtuDvkRoHgymSvg1+wonJNpv/VquNgwt7XbC9oOjVEd9lbUd+ttxzboI
8P1ci6+I861PylA0DOv9j5bbn1oE0hP8wDv3bTklEa612zzEVnnfgw+ErVnkrnk8
8fTiv6NZtHgUOllMq7ymlV7ut+BPp20rjBdOCNn2Q7dNCKIkI45qkwHtXjzFXIxz
Gq3tLVeC54g7XZIc7X0S9avgAE7h9SuRYmsSzvLTtiP1obMCHB5ebQ==
-----END CERTIFICATE-----

/etc/ipsec.d/certs/goldenfrog-client.crt

Bag Attributes
localKeyID: B9 38 E7 E7 40 29 6C 59 BA EB 94 B7 77 A6 95 16 5C 90 A4 32 
subject=/C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=goldenfrog-client/emailAddress=admin@goldenfrog.com
issuer=/C=KY/ST=GrandCayman/L=GeorgeTown/O=GoldenFrog-Inc/CN=GoldenFrog-Inc CA/emailAddress=admin@goldenfrog.com
-----BEGIN CERTIFICATE-----
MIIE7DCCA9SgAwIBAgIBGjANBgkqhkiG9w0BAQUFADCBkjELMAkGA1UEBhMCS1kx
FDASBgNVBAgTC0dyYW5kQ2F5bWFuMRMwEQYDVQQHEwpHZW9yZ2VUb3duMRcwFQYD
VQQKEw5Hb2xkZW5Gcm9nLUluYzEaMBgGA1UEAxMRR29sZGVuRnJvZy1JbmMgQ0Ex
IzAhBgkqhkiG9w0BCQEWFGFkbWluQGdvbGRlbmZyb2cuY29tMB4XDTEwMDkxMzE5
NDM1NloXDTIwMDkxMDE5NDM1NlowgZIxCzAJBgNVBAYTAktZMRQwEgYDVQQIEwtH
cmFuZENheW1hbjETMBEGA1UEBxMKR2VvcmdlVG93bjEXMBUGA1UEChMOR29sZGVu
RnJvZy1JbmMxGjAYBgNVBAMTEWdvbGRlbmZyb2ctY2xpZW50MSMwIQYJKoZIhvcN
AQkBFhRhZG1pbkBnb2xkZW5mcm9nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMwP+Ura1dvRwWOfqoQRZ66tVZvrs/vafBsKk63uHloLOp83ZcpF
pe8W+CvEIg4FqfTRCCfWwVpIocLEX0MFXe9mJFBM2pl3kOthzszZ3FvpEtcswcOI
y4+9mePg52moidQLcF2L7hZnGecRzpU2aIiSZVcZq4+TJmTcwIU+NM104IWI8fpu
5CZMjjDtifUM1qdfcYkCySXqKXYUdTf+sQllO5O1adie3QvI6oZcSfG0PzV8jsSp
7JcYN4WxZ5fd2L0RDRWr/jQ1aXvZ0PMQUhXx+UV/9gYcwUx1vYLJINabR8nSA9WD
u9Di2Z96JVF42GjqWcm0awSknUuzPCcH/c0CAwEAAaOCAUkwggFFMAkGA1UdEwQC
MAAwLQYJYIZIAYb4QgENBCAWHkVhc3ktUlNBIEdlbmVyYXRlZCBDZXJ0aWZpY2F0
ZTAdBgNVHQ4EFgQU7bBRDyl+XxMTmZZUuLpNtiSnJbswgccGA1UdIwSBvzCBvIAU
4fR4jIeUZ0VSLf5LV3XYhpA5FwWhgZikgZUwgZIxCzAJBgNVBAYTAktZMRQwEgYD
VQQIEwtHcmFuZENheW1hbjETMBEGA1UEBxMKR2VvcmdlVG93bjEXMBUGA1UEChMO
R29sZGVuRnJvZy1JbmMxGjAYBgNVBAMTEUdvbGRlbkZyb2ctSW5jIENBMSMwIQYJ
KoZIhvcNAQkBFhRhZG1pbkBnb2xkZW5mcm9nLmNvbYIJANd2Uwt7SabsMBMGA1Ud
JQQMMAoGCCsGAQUFBwMCMAsGA1UdDwQEAwIHgDANBgkqhkiG9w0BAQUFAAOCAQEA
U0nU8Thce4kSKNtwdTiGB3XpriU0bIfWRYa8K+SqxtH5swIHePLXKG5nGFkKXYzf
+ZP1o5yz3Qd/VP9mGoaOUzvEZW6oUtHJNUg5Mr+Rr2jQfZIzqXkoDPskM6APC4ws
pWNmiMk1nqumQPdqoa2VoLC83JY6N8AJswF9NX7MYwx0tEaceRRGNL/U/gjz9PG0
2THMrrFQEtbmXBUtB4dcp+emLypG5GCF2FF4nWchKmWo6TMVCzvHMlEOsDCePnIq
OJK5YmHuZPypltVaaUApuQ2mqk5LVmZ3RZNxpYXCNKzYIpfrOJzUhPfJPCPdaZIM
1H6IvaptYKMgzOgjukd3RQ==
-----END CERTIFICATE-----

/etc/ipsec.d/private/goldenfrog-client.key

Bag Attributes
localKeyID: B9 38 E7 E7 40 29 6C 59 BA EB 94 B7 77 A6 95 16 5C 90 A4 32 
Key Attributes: <No Attributes>
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAzA/5StrV29HBY5+qhBFnrq1Vm+uz+9p8GwqTre4eWgs6nzdl
ykWl7xb4K8QiDgWp9NEIJ9bBWkihwsRfQwVd72YkUEzamXeQ62HOzNncW+kS1yzB
w4jLj72Z4+DnaaiJ1AtwXYvuFmcZ5xHOlTZoiJJlVxmrj5MmZNzAhT40zXTghYjx
+m7kJkyOMO2J9QzWp19xiQLJJeopdhR1N/6xCWU7k7Vp2J7dC8jqhlxJ8bQ/NXyO
xKnslxg3hbFnl93YvRENFav+NDVpe9nQ8xBSFfH5RX/2BhzBTHW9gskg1ptHydID
1YO70OLZn3olUXjYaOpZybRrBKSdS7M8Jwf9zQIDAQABAoIBAQCKplva6X+fYRDG
UOk53N2WyP0++NKM0DG86d3Xss/6nGCTZ7+IxPPu1KuAiT4eSujkh9bDwt4TKwCF
5olXb2EY1UzdJqrs1VmpJQavF2PrKxz7CNUKt3qgStIyDFEP8Ezdv3v0g6wcmqb1
4pp7tcEm8lla6f0wi2nt5DQHFHIqGgWVq53LmhmZoQOmy9CHvG6YpjorEbjMu7fa
dDiXY0tzSHJkGuDrrpTsQmGYUBVnMfYBcNYGu3U8+1dRQmVef1eWLODNUFwbz/rK
fFCCh85TeT2BWxy5+yuONEFY54GYM8z9YIlvZ9NDu1/OWsSbcpa203AprLxForBI
WClIntFhAoGBAPGOF2ymjPGDHqGWbeOmfbwfAx8X3QeXX6JOX8ZQvKCmkUIlEpzu
pkUP2cO3g0Isk2NZ566sdY4GDCx1h6IvZo3fwkk/Cku/+3SZk4itvRLsGsK5gSV+
9/1Ae0PCnAkxeTrh+T2wHuYKSLwgSlaeEMNavSj2dTTofG/7WG+0t4E1AoGBANhD
6pN9+lQS92SMGyX9iaVX4rOg0EefUFx+/k4x4yXd8d2Xj9zmHE2quhgmT2NPjVwW
mLl8f/sygBkKmYd/PVvQxCwnbwugcSHyt1xTDVg+t8/TLrWjlbbs3w+Wa+pNyn23
7lnwAykPKzOC9G/kS6QFSxjv6wc0/jzyBYH2g3U5AoGBAKPRd7Vp5qBMClQQDwqa
+R7B8X3+0xm44VTTzkRSsPpKvKydM9hWSVEBBPCk3lHcpUB10pg1wavGEi98rbWi
a+y/2aWPKU5iLwjOtq21Fktk8GkrIZjqWQjZ2D8GFohtkwgKBNx/OxVL2DQtufyw
SjISscK8EpUFLo9LaJipeOIZAoGBAJajD/S2TjRblaiakpputH7P7Z+zBwCsbpxO
9LHgu9h3dO4lkNaMDfDnV4JUxP1mvw8CylSA7OA6t9E5eeFQdpvKmaoruYR+t+6u
kpujWes6nGwNLD7m9/SXn3PLEdX9Y2sYP9SzgnAKGcxijgKWIT3ZVgrDqpC1j9VB
uyZgYAa5AoGASEjoPkWacKzFZMobjDDGS6ffFFV3lc7tPeiobXwknvOJ8W7NPFQ7
R28zKnzW1EFrW7+dPP6N0cjfHWJMTNDVn7TDX4jtRj+8UVUZudxESyrVrHzBDYrn
MCcT6s8odV4yabeKqZzqD4B7xzJX6R7uIGpS2eY4ZVpQP13eHYKDB74=
-----END RSA PRIVATE KEY-----

/etc/ipsec.secrets:

: RSA goldenfrog-client.key "goldenfrog"
username@domain.com: XAUTH "PASSWORD-HERE"

Then add to /etc/ipsec.conf:

config setup
	# plutodebug=all
	# crlcheckinterval=600
	# strictcrlpolicy=yes
	# cachecrls=yes
	nat_traversal=yes
	charonstart=yes
	plutostart=yes
	charondebug="ike 4, knl 4 cfg 2"
 
conn vyprvpn
	type=tunnel
	authby=xauthrsasig
	xauth=client
	xauth_identity=username@domain.com
	ike=aes-sha1-modp1024
	esp=aes-sha1
	auto=add
	keyingtries=3
	keyexchange=ikev1
	rekeymargin=3m
	ikelifetime=8h
	keylife=1h
	left=%defaultroute
	leftsourceip=%config
	leftcert=goldenfrog-client.crt
	leftfirewall=yes
	right=209.99.62.150
	rightid=@us2.vpn.goldenfrog.com
	rightsubnet=0.0.0.0/0
  • The rightid is the FQDN hostname for the site – it must match the certificate returned by the IPSec server.
  • The right value is the IP address matching the FQDN hostname to which you are connecting.
  • Make sure to put your real username into /etc/ipsec.secrets and /etc/ipsec.conf and your password in quotation marks in ipsec.secrets.
  • Then to start the IPSec daemons, as root: ipsec start
  • Then to connect vyprvpn: ipsec up vyprvpn
  • Then to make routing work through the IPSec tunnel, modify your NAT rule to use the IP Address of the IPSec tunnel and NOT use straight masquerading which will use the primary address on the eth0 interface instead of the VPN IP Address.

If you do this on a different platform, or even on the EdgeRouter Lite, and you find improvements, please share them back with us here!

Thanks,
Michael Douglass

Hi

Thanks for the support on this.

I am using a pfsense appliance which has the Intel “Rangeley” Atom C2558 2.4 Ghz with Intel QuickAssist
http://store.pfsense.org/SG4860/

This supports AES-NI, so want to try to compare the performance of OpenVPN vs IPSEC to VyprVPN. I was hoping that by taking advantage of the hardware encryption, that I could get “better” performance. I am using firewall rules/Alias’s etc to only route certain devices via the VPN connection and its all working fine with OpenVPN

Thanks for the notes below, I will how I can use the configs to figure out the right settings in pfsense as it does not usually need to create/edit/copy files in the OS as it has a webgui. I think I have some of the certs already loaded when I setup OpenVPN. (assuming they are the same certs)

here is a screenshot of the pfsense ipsec config screen
img.velder.li/images/7736feec88786ece92b35342572d1967.png

Will report back if I get it working.
Thanks
Eric…

Eric_d,

Any success?

Thanks!
Michael

Hi
I tried, but had to give up. Could not work out how to map your text based version to the gui fields used in PFSENSE.

I got some of the fields mapped, but got stuck on the userid/password i.e. secrets file

Hi @mikedoug I’ve been trying to follow your ipsec on Ubiquiti EdgeRouter. I’m not very good with strongswan, but any idea what this error indicates:

root@ubnt:~# ipsec up vyprvpn
002 "vyprvpn" #13: initiating Main Mode 
102 "vyprvpn" #13: STATE_MAIN_I1: initiate
003 "vyprvpn" #13: received Vendor ID payload [XAUTH]
003 "vyprvpn" #13: ignoring Vendor ID payload [Cisco-Unity]
003 "vyprvpn" #13: received Vendor ID payload [RFC 3947] 
003 "vyprvpn" #13: received Vendor ID payload [Dead Peer Detection]
002 "vyprvpn" #13: enabling possible NAT-traversal with method 3
104 "vyprvpn" #13: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vyprvpn" #13: NAT-Traversal: Result using RFC 3947: both are NATed
002 "vyprvpn" #13: we have a cert and are sending it upon request
003 "vyprvpn" #13: **unable to locate my private key for signature**
224 "vyprvpn" #13: STATE_MAIN_I2: AUTHENTICATION_FAILED
002 "vyprvpn" #13: sending encrypted notification AUTHENTICATION_FAILED to 209.99.95.150:500

Isn’t the private key the file in /etc/ipsec.d/private

Ok, retried on a different system and am now getting a different error of “extended authentication failed”. Any ideas. Shouldn’t this just be my username and password in ipsec.secrets?

root@ubnt:/etc# ipsec up vyprvpn
002 "vyprvpn" #2: initiating Main Mode
102 "vyprvpn" #2: STATE_MAIN_I1: initiate
003 "vyprvpn" #2: received Vendor ID payload [XAUTH]
003 "vyprvpn" #2: ignoring Vendor ID payload [Cisco-Unity]
003 "vyprvpn" #2: received Vendor ID payload [RFC 3947]
003 "vyprvpn" #2: received Vendor ID payload [Dead Peer Detection]
002 "vyprvpn" #2: enabling possible NAT-traversal with method 3
104 "vyprvpn" #2: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vyprvpn" #2: NAT-Traversal: Result using RFC 3947: both are NATed
002 "vyprvpn" #2: we have a cert and are sending it upon request
106 "vyprvpn" #2: STATE_MAIN_I3: sent MI3, expecting MR3
002 "vyprvpn" #2: Peer ID is ID_FQDN: 'us2.vpn.goldenfrog.com'
002 "vyprvpn" #2: crl not found
002 "vyprvpn" #2: certificate status unknown
002 "vyprvpn" #2: ISAKMP SA established
004 "vyprvpn" #2: STATE_MAIN_I4: ISAKMP SA established
002 "vyprvpn" #2: parsing XAUTH request
002 "vyprvpn" #2: sending XAUTH reply
118 "vyprvpn" #2: STATE_XAUTH_I1: sent XAUTH reply, expecting status
002 "vyprvpn" #2: parsing XAUTH status
002 "vyprvpn" #2: extended authentication failed
002 "vyprvpn" #2: sending XAUTH ack
root@ubnt:/etc#

Hi @stig:

Mike is out today but as soon as he gets back (possibly tomorrow or Monday) I’ll see what he thinks and get an answer for your question. Thank you!

Katie

@stig,

The best I can think is that there’s some typo in your password – or you’re password has a character that the plain-text ipsec.secrets file doesn’t play nice with (possibly a " or a \ in there?). Alternatively check the exact syntax to match my sample /etc/ipsec.secrets. username followed by colon-space followed by XAUTH-space-quote-PASSWORD-quote.

If you can privately send me your username, I can look to see if I have any more information about the authentication failures on our side.

Thanks,
MikeDoug

I can get this working, thanks. I use the two commands in bold, then edit the config.boot with the new NAT rule and reload.

But, how would you recommend doing this so the above steps can happen automatically?
The IP address given out by the VPN changes each time, so I have no idea how to do this.

Any ideas?

In theory we should be able to script the entire experience. Have it bring the VPN up, discover the IP address, and then alter the NAT rule on the device so that it’s set appropriately.

Unfortunately, I don’t have the router or currently available time to walk through doing that. I’ll put it in my list of “things to look at” for those moments when some time becomes available.

Any more progress on automatically bringing up the ipsec config on the EdgeMax routers? It looks like it has been a few months.

Hello, it would be desirable to know where, I just did not find anything, and the certificate that is listed here has already expired.

You can find the updated CA Certificate here - https://support.vyprvpn.com/hc/en-us/articles/360041273371-Where-can-I-find-your-CA-certificate-